On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.
The plugin developers quickly replied and we sent over the full disclosure on the same day. Fully patched versions of all vulnerable components were made available on May 10, 2022.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against these vulnerabilities on April 5, 2022. Sites still running the free version of Wordfence received the same protection 30 days later, on May 4, 2022.
We strongly recommend updating to the latest patched version for your installation as soon as possible, since this will remove the vulnerabilities. If you are using the classic Jupiter theme, you should update to at least version 6.10.2. If you are using the JupiterX theme, you should update to at least version 2.0.8 of the JupiterX Core plugin, and at least version 2.0.7 of the JupiterX Core theme, which are the latest versions available at the time of this writing.